NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/56260: [PATCH] Out-of-bounds stack read in lib/libc/gen/vis.c

>Number:         56260
>Category:       lib
>Synopsis:       [PATCH] Out-of-bounds stack read in lib/libc/gen/vis.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 18 10:05:00 +0000 2021
>Originator:     Alex Richardson
>Release:        N/A
I found an out-of-bounds stack read in the vis code when running FreeBSD compiled for CHERI. Since the vis code in FreeBSD is the same as NetBSD lib/libc/gen/vis.c the patch also applies here.

Call vis(3) without the VIS_NOLOCALE flag and two non-ASCII chars: it passes a 2 byte buffer to istrsenvisx, but the first loop iteration may attempt to decode up to MB_LEN_MAX bytes from the two char buffer.
Apply the patch from - replace MB_LEN_MAX with MIN(mbslength, MB_LEN_MAX)

Home | Main Index | Thread Index | Old Index